The General Data Protection Regulations (‘GDPR’) come into effect on 25 May 2018 and replace the existing Data Protection Directive.
The aim is to strengthen laws on the protection of processing personal data by requiring those whose capture personal information about us, often but not exclusively via our computers, tablets and mobile phones, to provide us with significantly more information about how and why our data is processed.
Why is this important? All of us provide ‘personal data’ (which includes our name, identification number, location data, online identifiers such as Internet Provider address etc) at some point, mainly in relation to the purchase of goods or services but also, perhaps, to our employer or medical practitioner.
Normally, that data will have been supplied at the time for a legitimate purpose but the GDPR deals with how that data is used or ‘processed’ after that initial purpose has been fulfilled.
The most common example of our personal data being processed is marketing material. This may come from the organisation to which you originally supplied your personal data or, not uncommonly, from third parties to whom your personal data has been sold.
The organisation which captured your personal information, ‘the data controller’ (to use the jargon), can only use your data if it has a lawful basis for processing.
In most cases the only way a commercial organisation will have a lawful basis for using your data is if you have given your consent.
The GDPR expressly requires consent to be freely given, specific, informed and unambiguous. You must make a positive step to ‘opt in’ for your data to be processed and organisations cannot rely on you not opting out. Thus the boxes which are often seen on websites asking you to opt out if you don’t want your data used for the purpose of sending material to you, are unlawful.
Responsible organisations will be contacting clients or customers in advance of the introduction of the GDPR asking for their specific consent to use their data and identifying the purpose for which they intend to use it. If such consent is not received they should terminate further communications unless and until the client or customer expressly opts in.
If you know or have reasonable grounds to suspect that your personal data is being used without your consent, you should contact the organisation concerned and ask it to specifically confirm in writing that it has erased your personal data. If it continues to use your data, most obviously by sending further communications to you, report the organisation to the Information Commissioners Office via its website.
